Active Directory GPO for Password Policy Not Applying from Default Domain Policy
The password policy should be applied to the OU of the servers where the account database is. If you are trying to control the password on the active directory this means your policy should be applied to Domain Controllers OU. If you have inheritance blocked on your Domain Controllers OU, then modifying the Default Domain policy which is linked at the root by default will not do what you want.
By setting the policy at the default domain level you are probably controlling the password policy of your workstation. By this I mean the local accounts on your workstations would have now have the password requirements. Try creating a local account and setting a password.
This is partly relates to the same reason why you cannot have more then one password policy in a pre Windows 2008 domain. The policy must be applied to all the Domain Controllers, so there is no way to distinguish between different users/computers.
Even with the fine-grained policies in 2008 you cannot simply use a group policy, you have to setup special attributes in LDAP to have different objects target different password policies.
tacos_tacos_tacos
Updated on September 18, 2022Comments
-
tacos_tacos_tacos almost 2 years
Ok. I have implemented a Password Policy. I know from previous posts that it cannot be applied from within an OU so I have configured it from the Default Domain Policy. I run RSOP.msc from a client machine and the policy settings are displayed with the Source GPO "Default Domain Policy." So it appears that it is working, but it's not. For example, I have a complexity requirement, but it accepts the password "a." It also allows me to change my password within Windows Security while the setting is "Minimum password age" of 89 days. Clearly the policy is not actually being applied!
What to do?
RSOP results for XXXX\XXXX on XXXXX-XXXXX: Logging Mode ---------------------------------------------------------- OS Type: Microsoft Windows XP Professional OS Configuration: Member Workstation OS Version: 5.1.2600 Domain Name: XXXXXX Domain Type: Windows 2000 Site Name: XXXXXX Roaming Profile: Local Profile: C:\Documents and Settings\XXXXX Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=XXXXXXXXX,OU=UserComputers,DC=corp,DC=XXXXX,DC=com Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM Group Policy was applied from: tfs.corp.emergingmed.com Group Policy slow link threshold: 0 kbps Applied Group Policy Objects ----------------------------- Published Software Copy of Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups: -------------------------------------------------------- BUILTIN\Administrators Everyone SQLServerMSSQLServerADHelperUser$XXXXX BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users XXXXXXX$ Domain Computers People USER SETTINGS -------------- CN=XXXXXX,OU=Employees,DC=corp,DC=XXXX,DC=com Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM Group Policy was applied from: tfs.corp.XXXXX.com Group Policy slow link threshold: 0 kbps Applied Group Policy Objects ----------------------------- Published Software Startup Scripts Copy of Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups: ---------------------------------------------------- Domain Users Everyone BUILTIN\Administrators Remote Desktop Users BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL
-
Ben Pilbrow over 12 yearsJust to rule out weirdness, have you done a
gpupdate
on an affected machine? -
tacos_tacos_tacos over 12 yearsI restarted the machine several times since it was computer policy and my understanding is that computer policy changes require a restart - and upon restart it should do a gprefresh. I just did one anyway though and I posted the gpresult above.
-
tacos_tacos_tacos over 12 yearsDo you think it matters that my PC is in an OU (UserComputers)?
-
-
tacos_tacos_tacos over 12 yearsYou sir are excellent